cm0002@lemmy.world to Cybersecurity - Memes@lemmy.world · 2 months agoUh oh, somebody's not following best practices, that's a paddlinlemmy.worldimagemessage-square81linkfedilinkarrow-up1543arrow-down120
arrow-up1523arrow-down1imageUh oh, somebody's not following best practices, that's a paddlinlemmy.worldcm0002@lemmy.world to Cybersecurity - Memes@lemmy.world · 2 months agomessage-square81linkfedilink
minus-squareturmacar@lemmy.worldlinkfedilinkarrow-up3arrow-down1·2 months agoThe hash or a checksum can be sent to the page to be checked by the same function running in your browser that is checking if the new password has special characters etc.
minus-squareVigge93@lemmy.worldlinkfedilinkarrow-up11·2 months agoThat would be an extremely bad idea tho, because it would allow a malicious attacker to Try random usernames, and if the website returns a hash they know that user exists Once they have the hash, and the hashing algoritm, it is much easier to brute-force the password, bypassing any safeguards on the server Username/password validation should happen entirely server-side, with as little information as possible provided to the client
minus-squareaesthelete@lemmy.worldlinkfedilinkarrow-up3·2 months ago Username/password validation should happen entirely server-side, with as little information as possible provided to the client 💯 It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.
minus-squaretestfactor@lemmy.worldlinkfedilinkarrow-up6·2 months agoSeems like a great way for me to harvest a bunch of hashes to pull down to my GPU rig and crack offline.
The hash or a checksum can be sent to the page to be checked by the same function running in your browser that is checking if the new password has special characters etc.
That would be an extremely bad idea tho, because it would allow a malicious attacker to
Username/password validation should happen entirely server-side, with as little information as possible provided to the client
💯
It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.
Seems like a great way for me to harvest a bunch of hashes to pull down to my GPU rig and crack offline.